[AWS Solution Architect] VPC

VPC

• Virtual Private Cloud
• it allows you to provide a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define.

Core Components

Key features

• you can set its tenancy to default or dedicated

  • tenancy

    how EC2 instances are distributed across physical hardware and affects pricing

  • default

    Multiple AWS accounts may share the same physical hardware.

  • dedicated

    Your instance runs on single-tenant hardware.

• Region Specific
  • they do not span regions
• 5 VPC per region
• Every region comes with a default VPC
• 200 subnets per VPC
• The address of the VPC : IPv4 Cidr Block (+IPv6 Cidr Block)
• Cost nothing (it doesn’t cost you anything)
  • VPC’s / Route Tables / Nacls / Internet Gateways / Security Groups and Subnets / VPC Peering
• Something cost money
  • NAT Gateway / VPC Endpoints / VPN Gateway / Customer Gateway
• DNS hostnames
  • they are disabled by default.
  • should your instance have domain name addresses
  • when you do create a VPC, it doesn’t have DNS host names turned on by default
  • so there’s Public DNS.

Default VPC

• DHCP

  Dynamic Host Configuration Protocol a client/server protocol that automatically provides an Internet Protocol (IP) host with its IP address and other related configuration information such as the subnet mask and default gateway.

Default Everywhere IP

• giving access from anywhere or the internet

VPC Peering

• which allows you to connect one VPC to another over direct network route using private IP addresses.
  

• the idea
  • we have a VPC A, a VPC B
  • and we want to treat it so like they behave like they’re on the same network.
  • that’s what VPC peering connection allows us to do
    
• it’s very simple to create a peering connection
  • just give it a name
    • requester which could be a VPC A
    • acceptor which could be a VPC B
• allow VPCs to talk to each other even they’re in different regions

Limitations around the configuration

• when you are peering, you’re using star configuaration
  • 1 central VPC and you might have 4 other VPCs around it
  • for each VPC, it have to have a peering connection.
• There’s No Transitive Peering
  • if VPC C wants to talk to VPC B, hte traffic is not going to flow through a
  • you actually would have to create another direct connection from C to B

  • the idea

    it’s only to the nearest neighbor, where that communication is going to happen.

• You can't have Overlapping CIDR Blocks
  • so it had the same CIDR block, this was 172 31
  • we’re gonna have a conflict
  • we’re not gonna be able to talk to each other
  • it’s the VPC peering in a nutshell

Route Tables

• we can see routes, which has the internet gateway attached that allows access to the internet.

IGW (Internet Gateway)

• It allows your VPC access to the internet

• we need to create a new route in our route table for the IGW
• igw-id identifies that resource

• then we’re goint to give it 0.0 point zero as the destination

• NAT : Network Address Translation

Bastion (= Jumpbox)

• SSH (Secure Shell)

  a network protocol that gives users, particularly system administrators, a secure way to access a computer over an unsecured network.
  

• RCP (Remote copy)

  a tool for copying files to/from remote computers
  

• let’s say you wanted to SSH into that EC2 Instance (it’s in a private subnet), it doesn’t have a public IP address.
• So what you need is you need an intermediate EC2 Instance that you’re going to SSH into, which is Bastion
• And then, you’re going to jump from that box to this one
  • that’s why bastions are also known as jumpboxes

• EC2 instance for the bastion is hardened
  • so it should be very secure
    • because it’s going to be your point of entry into your private EC2 instance.
      
• some people might ask can’t we a NAT instance(like NAT gateways) obviously turn into bastions?

you can configure NATs and also from a security perspective, you’d never ever want to do that, you always wanna have a different EC2 instance as your Bastion.

There is a service called Systems manager's session manager. It replaces the need for bastions, so you don’t have to launch your own EC2 instance. Generally, that’s recommended in AWS.

But as you know, Bastions are being commonly used throughout a lot of companies because it needs to meet whatever their requirements are. and they’re just comfortable with them.

Direct Connect

• depending on what configuration you get
  • if it’s in the lower bandwidth, you are looking between 50 megabytes to 500 megabytes.
  • or in the higher bandwidth is 1 gigabytes to 10 gigabytes
    

• so the transfer rate to your on-premise environment, the network to AWS, is it considerably fast.

• this can be really important if you are an enterprise and you want to keep the same level of performance that you’re used to.

• with direct connect, it helps reduce network costs, increase bandwidth throughput

• it provides a more consistent network experience than a typical internet based connection

Words

• full-name known as short-name
  • (= short-name stands for full-name)
• it’s pretty easy to going forward
• in addition to
• come with
• imply
• I have a representation of how it works, so the idea is ~
• intend for (=mean)
• be hardened : 굳은
• premise environment
• considerably (= significantly)
• typical (= representative)
• bandwidth throughput : 대역폭 처리량

The copyright of all material here is on the video https://www.youtube.com/watch?v=Ia-UEYYR44s This post is just for studying AWS SAA.